Probabilistic metric for random hardware failure

ABSTRACT

A method of determining a probabilistic metric for random hardware failure for an electronic system, such as a microcontroller, which comprises element and safety mechanisms (SMs) is disclosed. The safety mechanisms include first layer safety mechanisms (FL-SMs) and second layer safety mechanisms (SL-SMs). A first layer safety mechanism may provide at least partial coverage of failure of a part and a second layer safety mechanism may provide at least partial coverage of failure of a first layer safety mechanism. The method comprises calculating a first set of probabilities (K SM_i ) associated with the first layer safety mechanisms, calculating a second set of probabilities (K DVF_n ) associated with direct violation faults in the parts and calculating a third set of probabilities (K IVF_n ) associated with indirect violation faults in the parts. The method includes obtaining the value of probabilistic metric for random hardware failure in dependence on the first, second and third sets of probabilities.

FIELD OF THE INVENTION

The present invention relates to probabilistic metric for randomhardware failure.

BACKGROUND

ISO26262-5 clause 9 proposes two, alternative methods of evaluatingresidual risk of a safety goal violation due to random hardware faults.One is a probabilistic metric called “probabilistic metric for randomhardware failures” (PMHF) which involves evaluating violation of asafety goal using, for example, quantified Fault Tree Analysis (FTA) andcomparing the result of the quantified values with a target value withthe aim of evaluating whether the residual risk of safety goalviolations is sufficiently low. The other involves individuallyevaluating each residual and single-point fault, and each dual-pointfailure leading to the violation of the considered safety goal.

The PMHF is the probability that an item will actually fail—and soviolate its safety goal—due to random hardware faults. It takes intoconsideration contributing single point faults (SPFs), residual faults(RFs) and plausible dual point faults (DPFs) and also their timerelation. The inclusion of dual point faults can lead to more complexfunctions of time.

In ISO26262-10, the PMHF is evaluated using a FTA approach, computingthe probability that a fault occurs on a branch and combining, bysumming up (through OR gates) or multiplying up (through AND gates),probabilities of all the faults to obtain the overall probability tohave a hazard in the system under analysis.

The FTA approach can be represented using graphical symbols which canhelp make the analysis easier to understand. However, this approach canlead to very large trees and, because PMHF is evaluated by combiningprobabilities of all faults, to complex calculations which can be slowand involve considerable processing.

SUMMARY

According to a first aspect of the present invention there is provided amethod of determining a probabilistic metric for random hardware failurefor an electronic system, such as a microcontroller, which compriseselements and safety mechanisms (SMs). The safety mechanisms includefirst layer safety mechanisms (FL-SMs) and second layer safetymechanisms (SL-SMs). A first layer safety mechanism may provide at leastpartial coverage of failure of a part and a second layer safetymechanism may provide at least partial coverage of failure of a firstlayer safety mechanism. The method comprises calculating a first set ofprobabilities (K_(SM_i)) associated with the first layer safetymechanisms, calculating a second set of probabilities (K_(DVF_n))associated with direct violation faults in the parts and calculating athird set of probabilities (K_(IVF_n)) associated with indirectviolation faults in the parts. The method includes obtaining the valueof probabilistic metric for random hardware failure in dependence on thefirst, second and third sets of probabilities.

This can allow PMHF to be calculated more quickly using failure modesand effects analysis (FMEA)-like analysis.

A fault may be a direct violation fault (DVF) which, in the absence ofany safety mechanism, has the potential to violate a safety goaldirectly. A fault which is categorized as being a direct violation faultand which is not covered by a safety mechanism can lead to an ISO 26262single point fault (SPF) or an ISO 26262 residual fault (RF). A faultmay be an indirect violation fault (IVF) which, only in combination withone or more other faults, has the potential to violate a safety goal. Afault which is categorized as being an indirect violation fault can leadto an ISO 26262 multiple point failure (MPF). A fault may be a noviolation fault (NVF) which, even in combination with one or more otherfaults, does not have the potential to violate a safety goal. A faultwhich is categorized as being a no violation fault can be categorised asan ISO 26262 safe fault (SF).

The method may comprise storing the first, second and/or third sets ofprobabilities and/or storing the value of probabilistic metric forrandom hardware failure. The method may comprise displaying the value ofprobabilistic metric for random hardware failure. The method may furthercomprise outputting the value of probabilistic metric for randomhardware failure.

The method may comprise automatically obtaining the value ofprobabilistic metric for random hardware failure. The method maycomprise automatically outputting the value of probabilistic metric forrandom hardware failure.

Obtaining the value of probabilistic metric for random hardware failuremay include adding the first, second and third sets of probabilities.Obtaining the value of probabilistic metric for random hardware failuremay include dividing (i.e. dividing a result which includes adding thefirst, second and third sets of probabilities) by an estimated life timeof the system (T_(life)).

The method may further comprise identifying a fourth set of failure ratecontributions arising from the second layer safety mechanisms, whereinobtaining the value of probabilistic metric for random hardware failureincluding adding the first, second, third and fourth sets of failurerate contributions or wherein the first and second sets of failure ratecontributions include the fourth set of failure rate contributions.

The value probabilistic metric for random hardware failure is preferablyobtained in accordance with ISO 26262 standard.

The method may further comprise, for each first layer safety mechanism,determining whether a fault affecting a first layer safety mechanism isa direct violation fault or an indirect violation fault, determiningwhether the fault is covered by a second layer safety mechanism, independence upon the fault being covered by a second layer safetymechanism and establishing a link between the first layer safetymechanism and the second layer safety mechanism.

The method may further comprise, for each element, determining whether afault affecting an element is a direct violation fault or an indirectviolation fault, determining whether the fault is covered by a firstlayer safety mechanism, in dependence upon the fault being covered by afirst layer safety mechanism and establishing a link between the partand the first layer safety mechanism.

Calculating the first set of probabilities may comprise, for each firstlayer safety mechanism, calculating a contribution due to a singledirect violation fault in first layer safety mechanism and contributionsdue to combinations of a first fault occurring in a second layer safetymechanism and a later second, direct violation fault occurring in thefirst level safety mechanism.

Calculating the second set of probabilities comprises, for each part,calculating a contribution, if any, due to direct violation faults; andcalculating a contribution, if any, due to indirect violation faults.

Calculating the second set of probabilities may comprise determining acontribution to the probabilistic metric for random hardware failure dueto direct violation faults in parts. Calculating the second set ofprobabilities may comprise determining a contribution to theprobabilistic metric for random hardware failure due to indirectviolation faults in parts.

Calculating the third set of probabilities may comprise, for each part:determining whether the part is linked to another part and determining acontribution to the probabilistic metric for random hardware failure dueto indirect violation faults for the part and the other part.

The electronic system may be an integrated circuit or a plurality ofelectronic components. For example, the integrated circuit may be amicrocontroller. The microcontroller may be a microcontroller configuredto be used in a vehicle chassis application. For instance, themicrocontroller may include a FlexRay communication controller. Theintegrated circuit may be an application specific integrated circuit(ASIC). The plurality of electronic components include may includeintegrated circuit(s), discrete component(s), such as resistors, diodes,etc., MEMS device(s), sensor(s) and/or actuator(s).

According to a second aspect of the present invention there is provideda method of designing an electronic component. The method includespreparing a design of the electronic component, generating functionalsafety data for the first design of the electronic apparatus, andpreparing a revised design of the electronic apparatus in dependenceupon the functional safety data.

According to a third aspect of the present invention there is provided amethod of fabricating an electronic component. The method comprisesdesigning an electronic component and fabricating the electroniccomponent according to the revised design.

According to a fourth aspect of the present invention there is provideda computer program which, when executed by data processing apparatus,causes the data processing apparatus to perform the method.

According to a fifth aspect of the present invention there is provided acomputer program product (which may be non-transitory) comprising acomputer-readable medium storing the computer program.

According to a sixth aspect of the present invention there is provided adesign support system which includes data processing apparatuscomprising at least one processor and at least one memory. The at leastone processor is configured to perform the method.

According to a seventh aspect of the present invention there is providedan electronic system fabricated by the method of fabrication.

BRIEF DESCRIPTION OF THE DRAWINGS

Certain embodiments of the present invention will now be described, byway of example, with reference to the accompanying drawings, in which:

FIG. 1 schematically shows an element of an electronic system, a firstlayer safety mechanism (FL-SM) providing protection for a portion of theelement and a second layer safety mechanism (SL-SM) providing protectionfor a portion of the first layer safety mechanism;

FIG. 2A illustrates an FTA branch for first and second faults;

FIG. 2B shows a timeline for the first and second faults shown in FIG.1A;

FIG. 3 shows a timeline for a fault;

FIG. 4 shows a timeline for two faults whose order is relevant;

FIG. 5 shows a timeline for two faults whose order is not relevant;

FIG. 6 shows a timeline for two faults whose order is relevant and whichoccur in a time span τ;

FIG. 7 shows a timeline for three faults including first and secondfaults whose order is not relevant and which occur in a time span, and athird fault occurs after the end of the time span;

FIG. 8 shows a timeline for three faults including a first fault whichoccurs in a first time span, a second fault which occurs in a secondtime span which occurs after the end of the first time span and a thirdfault which occurs after the end of the second time span;

FIG. 9 illustrates an FTA branch for first and second indirect violationfault (IVF) faults;

FIG. 10 is a process flow diagram of a method of generating a PHMFvalue;

FIG. 11 is a process flow diagram of a method of deriving lambda valuesSL-SMs;

FIG. 12 is a process flow diagram of a method of deriving lambda valuesfor FL-SMs;

FIG. 13 is a process flow diagram of a method of deriving lambda valuesfor element;

FIG. 14 is a process flow diagram of a method of determining basiccontributions from FL-SMs;

FIG. 15 is a process flow diagram of a method of determining basiccontributions from parts;

FIG. 16 is a process flow diagram of a method of determining a PMHFcontribution due to IVF faults;

FIG. 17 illustrates determining the PMHF;

FIG. 18 is a schematic block diagram of a design support systemincluding a safety database which stores a customisable analysis report;

FIG. 19 is a schematic block diagram of a customer safety analysissystem;

FIG. 20 is a design support process flow diagram;

FIG. 21 is a schematic diagram of element characterisation data; and

FIG. 22 is a schematic block diagram of an electronic system orcomponent.

DETAILED DESCRIPTION OF CERTAIN EMBODIMENTS

A process is herein described whereby values of PMHF can be obtainedusing FMEA-like analysis. This can be used to evaluate safety of anelectronic system, such as an integrated circuit or a part thereof, moreeasily and/or quickly compared to using an FTA-like approach.

Referring to FIG. 1, an element (herein also referred to as a “part”)which may comprise hardware is shown. The element is included in asystem (such as an integrated circuit, for example, a microcontroller.An element can be, for example, a processing unit, volatile memory,non-volatile memory, data transfer units, various types of interfaceunits, various types of communication units and timer units. The systemmay be provided with a plurality of safety mechanisms, each of which maybe implemented in hardware, software or a combination of both. A safetymechanism (herein referred to a “first layer safety mechanism”) mayprovide coverage for all or a portion of the element. A safety mechanism(herein referred to a “second layer safety mechanism”) may providecoverage for all or a portion of another safety mechanism. Functionalsafety analysis may be carried out to determine a PMHF value for theelement, i.e. the probability that the element will fail (and so violateits safety goal) due to random hardware faults. This process involvesconsidering a range of faults, such as SPFs, RFs and MPFs with n=2,taking into account safety mechanisms.

As an example, an element may be a main oscillator. A first layer safetymechanism may be provided in the form of a clock monitor. Such a clockmonitor may provide partial control and detection (“C&D”) coverage ofthe clock monitor. However, there may be no safety mechanism for theclock monitor, in other words, there is no second layer safetymechanism. A single or combination of faults that could lead to theviolation of the safety goal include (1) any fault in an uncoveredportion of the main oscillator linked to the fault and (2) a fault whichrenders the clock monitor unavailable, followed by a fault in a coveredportion of the clock monitor. The uncovered portion of an element islinked to uncovered failure/fault.

Thus, safety analysis can be used can be used to break down the failurerates for the main oscillators into different lambda values.

The process is based on defining or using behavioural models hereinreferred to as “basic contributions” (BC) for each type of fault, suchas SPFs, RFs and MPFs with n=2, deriving a probability of creating ahazard for each basic contribution and summing contributions to obtainan overall PMHF value. Each basic contribution can be represented asequence of independent faults able to create a hazard and ischaracterized by a timeline showing the exact order of the faults. Abasic contribution is the probability of the event (depicted in thetimeline) occurring.

FIGS. 2A and 2B respectively show an example of an FTA branch and acorresponding timeline for first and second faults F1, F2 for a basiccontribution. The two ways of illustrating and describing a basiccontribution are interchangeable.

In the illustrated example, the second fault F2 will only create ahazard if it occurs after the first fault F1. When using an FTA branchrepresentation, this order is indicated using a letter ‘L’ in a box onthe left-hand side of the second fault F2. Thus, in this example, thesecond fault F2 must be the last one to occur for the hazard to arise.Thus, an FTA branch can be replaced by a corresponding basiccontribution.

Descriptions of various basic contributions are hereinafter described.

The process is based on a set of assumptions and a plurality of faultsets. An example set of assumptions and examples of fault sets are setout in Tables 1 and 2 respectively. The assumptions may be modified. Forexample, other assumptions may be used.

TABLE 1 ID Assumption Description 1 Only one SM acting on the same Ifmore than one SM is covering the same fault fault, only the best SM(i.e. offering the highest coverage of a failure) is actually consideredfor the calculation of the PMHF 2 SL-SM executes tests periodicallySecond layer of SM is not continuously available to check thefunctionalities of a first layer safety mechanism (FL-SM), for example,a key-on test; SL-SM performs tests every τ. 3 Faults in a SL-SM canonly be IVF There will be no direct contribution to the PMHF from SL-SM;portion of failures in time (FIT) associated to them is only beconsidered contribution due to parts covered by the SM itself 4 There isno possibility of having a Even if a part is hit by two different IVFhazard due to multiple faults faults, this will not lead to a hazardaffecting the same part 5 SL-SM is only able of doing There is nopossibility that a second layer detection SM can correct or mask faults;it is assumed to be able only to detect the occurrence of a fault andflag it to the upper application layer 6 T_(life) is an integer numberof time τ This assumption is used to ease the (i.e. T_(life) = kτ, k =1, 2, 3, . . . ) calculation of contribution due to SMs performing testson a regular time base 7 There is no possibility of having aContributions arising from three or more hazard due to a group of threeor different IVF faults are excluded from more faults consideration 8 Nocontribution from software Consideration of software-based safety safetymechanisms mechanisms are not considered

TABLE 2 Descriptive Associated ID sets of faults Description portion ofFIT 1 Pa_DVF_U_U set of direct violation fault (DVF) faults λ_(Pa) _(—)_(DVF) _(—) _(U) _(—) _(U) in part P_(a) not covered by any SM 2Pa_DVF_Di_U set of DVF faults in part P_(a) detected λ_(Pa) _(—) _(DVF)_(—) _(Di) _(—) _(U) (and controlled) by FL-SMi whose faults are notcovered by any other SM 3 Pa_DVF_Di_Dj set of DVF faults in part P_(a)detected λ_(Pa) _(—) _(DVF) _(—) _(Di) _(—) _(Dj) (and controlled) byFL-SMi whose faults are in turn covered by SL-SMj 4 Pa_DVF_Ci_U set ofDVF faults in part P_(a) controlled- λ_(Pa) _(—) _(DVF) _(—) _(Ci) _(—)_(U) only by FL-SMi whose faults are not covered by any other SM 5Pa_DVF_Ci_Dj set of DVF faults in part P_(a) controlled- λ_(Pa) _(—)_(DVF) _(—) _(Ci) _(—) _(Dj) only by FL-SMi whose faults are in turncovered by SL-SMj 6 Pa_IVF_U_U set of IVF faults in part P_(a) notcovered λ_(Pa) _(—) _(IVF) _(—) _(U) _(—) _(U) by any SM 7 Pa_IVF_Ci_Uset of IVF faults in part P_(a) controlled- λ_(Pa) _(—) _(IVF) _(—)_(Ci) _(—) _(U) only by FL-SMi whose faults are not covered by any otherSM 8 Pa_IVF_Ci_Dj set of IVF faults in part P_(a) a controlled- λ_(Pa)_(—) _(IVF) _(—) _(Ci) _(—) _(Dj) only by FL-SMi whose faults are inturn covered by SL-SMj 9 Pa_IVF_Di_U set of IVF faults in part P_(a)detected by λ_(Pa) _(—) _(IVF) _(—) _(Di) _(—) _(U) FL-SMi whose faultsare not covered by any other SM 10 Pa_IVF_Di_Dj set of IVF faults inpart P_(a) detected by λ_(Pa) _(—) _(IVF) _(—) _(Di) _(—) _(Dj) FL-SMiwhose faults are in turn covered by SL-SMj 11 FL-SMi_DVF_U set of DVFfaults in FL-SMi not λ_(FL-SMi) _(—) _(DVF) _(—) _(U) detected by any SM12 FL-SMi_DVF_Dj set of DVF faults in FL-SMi detected λ_(FL-SMi) _(—)_(DVF) _(—) _(Dj) by SL-SMj 13 FL-SMi_IVF_U set of IVF faults in FL-SMinot λ_(FL-SMi) _(—) _(IVF) _(—) _(U) detected by any SM 14 FL-SMi_IVF_Djset of IVF faults in FL-SMi detected by λ_(FL-SMi) _(—) _(IVF) _(—)_(Dj) SL-SMj 15 SL-SMj all faults affecting SL-SMj λ_(SL-SMj)

The indices ‘i’ and ‘j’ are used to address first layer safetymechanisms (or “FL-SMs”) and second layer safety mechanisms (or“SL-SMs”) respectively. The indices are intended to create anunambiguous link between a part (or an FL-SM) and its correspondingsafety mechanism. Examples of a part include, for example, a CPU core,embedded memory or a communication unit which may be included in amicrocontroller or other integrated circuit.

In the following, attention may be given to a single first layer safetymechanisms (or second layer safety mechanisms) for the sake ofsimplicity. In reality, however, faults affecting a part can be coveredby more than one safety mechanism and in turn fault in a first layersafety mechanisms can be covered by more than one second layer safetymechanisms. Thus, even if the description refers to a single safetymechanism per time, the process can consider the possibility of two ormore safety mechanisms acting together.

The sets introduced in Table 2 are simplified examples intended tosimply the descriptions of the basic contributions describedhereinafter. For example, sets “Pa_DVF_Di_Dj” and “Pa_DVF_Di_U” may haveno meaning because a fault in part P_(a) is covered by FL-SMi in full,not by a part of it. Thus, the fault is covered by all of the sub partof a FL-SM. In other words, a more practical application, a single set,namely Pa_DVF_Di, can be used which include both sets. The setspresented in Table 2 are intended to help provide a better understandingof how to use basic contributions. An actual evaluation of the PMHF isdone using sets described in Table 5.

Definition of Basic Contributions

Formulas in this section are derived from Probability Theory. For thesake of simplicity, in this section, the following names and symbols areused:

-   -   F_(i) fault i    -   λ_(i) portion of FIT (or “failure rate”) associated to F_(i)    -   t_(Fi) instant at which F_(i) occurs    -   T_(life) estimated life time of the item under analysis    -   τ estimated time span between two different tests of the first        layer SM by a possible second layer SM (herein also referred to        as “test interval”)    -   FTT Fault Tolerant Time        BC_(single)

BC_(single) is the contribution to the PMHF of a single fault notcovered by any SM, which can occur during the whole life-time. FIG. 3shows the timeline of this contribution. From Probability Theory, it ispossible to evaluate the quantitative contribution to the PMHF ofBC_(single) using Formula 1, namely:

$\begin{matrix}{{{BC}_{single}( \lambda_{F\; 1} )} = {{\int_{0}^{T_{life}}{\lambda_{F\; 1}{dt}}} = {\lambda_{F\; 1}T_{life}}}} & (1)\end{matrix}$

Example: a DVF fault not covered by any SM can create a hazard at anytime during the whole life time of a car. Its contribution to the PMHFcan be then evaluated using Formula 1. Considering a whole part that canbe affected by DVF faults, this contribution has to be evaluated foreach fault; the result is expressed by Formula 2, namely

$\begin{matrix}{{{BC}_{single}( \lambda_{P\; a\;\_\;{DVF}\;\_\; U\;\_\; U} )} = {{\sum\limits_{F_{n} \in {\{{P\; a\;\_\;{DVF}\;\_\; U\;\_\; U}\}}}^{\;}{{BC}_{single}( \lambda_{F_{n}} )}} = {\lambda_{P\; a\;\_\;{DVF}\;\_\; U\;\_\; U}T_{life}}}} & (2)\end{matrix}$BC_(double_ord)

BC_(double_ord) is the contribution of two faults occurring in anordered sequence, namely a first fault F1 occurring first and then asecond fault F2 occurring. FIG. 4 shows the timeline of thiscontribution. From Probability Theory, it is possible to evaluate thequantitative contribution to the PMHF of BC_(double_ord) using Formula3, namely:

$\begin{matrix}{{{BC}_{{double}\;\_\;{ord}}( {\lambda_{F\; 1},\lambda_{F\; 2}} )} = {{\int_{0}^{T_{life}}{( {\int_{0}^{t}{\lambda_{F\; 1}\lambda_{F\; 2}{dx}}} ){dt}}} = {\lambda_{F\; 1}\lambda_{F\; 2}\frac{T_{life}^{2}}{2}}}} & (3)\end{matrix}$

The order of the arguments (λ_(F1), λ_(F2)) in Formula 3 is the same inthe sequence of the faults for the hazard to occur. It is noted that theformula involves multiplication and so the order of the terms is notrelevant.

Example: a DVF fault covered by a safety mechanism able of control anddetection (also referred to as “C&D” or simply as “CD”) can only createa hazard if the safety mechanism becomes unavailable before the faultoccurs. The sequence of faults resulting in a hazard in this case isshown in FIG. 4 where the first fault F1 is the fault that causes thesafety mechanism to become unavailable and the second fault F2 is theDVF fault.

For each single DVF fault affecting a part, this contribution has to beevaluated for all the faults that make the safety mechanism unavailable.The result is expressed by Formula 4:

$\begin{matrix}{{{BC}_{{double}\;\_\;{ord}}( {\lambda_{{FL} - {{SM}_{i}\_\;{IVF}\;\_\; U}},\lambda_{P\; a\;\_\;{DVF}\;\_\; D_{i}\;\_\; U}} )}=={\sum\limits_{{F\;\_\; P_{n}} \in {\{{P\; a\;\_\;{DVF}\;\_\; D_{i}\_\; U}\}}}^{\;}{\quad{\lbrack {\sum\limits_{{{F\;\_\;{FL}} - {SM}_{m}} \in {\{{{FL} - {{SM}_{i}\_\;{IVF}\;\_\; U}}\}}}^{\;}{{BC}_{{double}\;\_\;{ord}}\mspace{149mu}( {\lambda_{{F\;\_\;{FL}} - {SM}_{m}},\lambda_{F\;\_\; P_{n}}} )}} \rbrack=={\lambda_{{FL} - {{SM}_{i}\_\;{IVF}\;\_\; U}}\lambda_{P\; a\;\_\;{DVF}\;\_\; D_{i}\;\_\; U}\frac{T_{life}^{2}}{2}}}}}} & (4)\end{matrix}$BC_(double_unord)

BC_(double_unord) is the contribution of two faults occurring withoutany restriction on their sequence. FIG. 5 shows the timeline of thiscontribution. The double-headed arrow between the faults shows that thefaults can be swapped as the order of their occurrence is not relevant.From Probability Theory, it is possible to evaluate the quantitativecontribution to the PMHF of BC_(double_unord) using Formula 5:

$\begin{matrix}{{{BC}_{{double}\;\_\;{unord}}( {\lambda_{F\; 1},\lambda_{F\; 2}} )} = {{\int_{0}^{T_{life}}{( {\int_{0}^{T_{life}}{\lambda_{F\; 1}\lambda_{F\; 2}{dx}}} ){dt}}} = {\lambda_{F\; 1}\lambda_{F\; 2}T_{life}^{2}}}} & (5)\end{matrix}$

Example: a DVF fault covered by a safety mechanism providing control butno detection can create a hazard if either one of the followingconditions is met, namely (1) the safety mechanism is made unavailablebefore the fault occurs and (2) the safety mechanism is made unavailableafter the fault in P has occurred (and so it has been controlledremaining latent). Both conditions are shown by FIG. 5 and Formula 5represents this case.

For each DVF fault affecting a part, this contribution has to beevaluated for all the faults that make the safety mechanism unavailable;the result is expressed by Formula 6:

$\begin{matrix}{{{BC}_{{double}\;\_\;{unord}}( {\lambda_{{FL} - {{SM}_{i}\_\;{IVF}\;\_\; U}},\lambda_{P\; a\;\_\;{DVF}\;\_\; C_{i}\;\_\; U}} )}=={\sum\limits_{{F\;\_\; P_{n}} \in {\{{P\; a\;\_\;{DVF}\;\_\; C_{i}\_\; U}\}}}^{\;}{\quad{\lbrack {\sum\limits_{{{F\;\_\;{FL}} - {SM}_{m}} \in {\{{{FL} - {{SM}_{i}\_\;{IVF}\;\_\; U}}\}}}^{\;}{{BC}_{{double}\;\_\;{ord}}\mspace{160mu}( {\lambda_{{F\;\_\;{FL}} - {SM}_{m}},\lambda_{F\;\_\; P_{n}}} )}} \rbrack=={\lambda_{{FL} - {{SM}_{i}\_\;{IVF}\;\_\; U}}\lambda_{P\; a\;\_\;{DVF}\;\_\; C_{i}\;\_\; U}T_{life}^{2}}}}}} & (6)\end{matrix}$BC_(tau)

BC_(tau) is the contribution of two faults occurring in an orderedsequence in a limited time span τ. This basic contribution is similar toBC_(double_ord), the difference being that there is time span in whichthis contribution is made possible. FIG. 6 shows the timeline of thesequence of the faults for this contribution. From Probability Theory,it is possible to evaluate the quantitative contribution to the PMHF ofBC_(tau) using Formula 7:

$\begin{matrix}{{{BC}_{tau}( {\lambda_{F\; 1},\lambda_{F\; 2}} )} = {{\int_{0}^{\tau}{( {\int_{0}^{t}{\lambda_{F\; 1}\lambda_{F\; 2}{dx}}} ){dt}}} = {\lambda_{F\; 1}\lambda_{F\; 2}\frac{\tau^{2}}{2}}}} & (7)\end{matrix}$

Example: this is one of the possible ways in which a DVF faultcontrolled (and possibly detected) by a FL-SM, which is in turnmonitored by a SL-SM (executing a test every r), can cause a hazard.

In between two consecutive tests performed by the SL-SM, there is no wayof being aware if a fault (F1) has occurred and made the FL-SMunavailable. So if another fault occurs in the part within the same timespan, then there will be a hazard.

For this contribution, the possibility that SL-SM is not available hasnot been considered since, due to the periodic nature of the SL-SM (seeTable 1), the sequence of faults shown in FIG. 5 is able to lead to thehazard regardless of whether the SL-SM is correctly working or not.

Formula 8 gives the overall BC_(tau) contribution, considering all thefaults affecting the part and the safety mechanism:

$\begin{matrix}{{{BC}_{tau}( {\lambda_{{FL} - {{SM}_{i}\_\;{IVF}\;\_\; D_{j}}},\lambda_{P\; a\;\_\;{DVF}\;\_\; D_{i}\;\_\; D_{j}}} )}=={\sum\limits_{{F\;\_\; P_{n}} \in {\{{P\; a\;\_\;{DVF}\;\_\; D_{i}\_\; D_{j}}\}}}^{\;}{\quad{\lbrack {\sum\limits_{{{F\;\_\;{FL}} - {SM}_{m}} \in {\{{{FL} - {{SM}_{i}\_\;{IVF}\;\_\; D_{j}}}\}}}^{\;}{{BC}_{tau}( {\lambda_{{F\;\_\;{FL}} - {SM}_{m}},\lambda_{F\;\_\; P_{n}}} )}} \rbrack=={\lambda_{{FL} - {{SM}_{i}\_\;{IVF}\;\_\; D_{j}}}\lambda_{P\; a\;\_\;{DVF}\;\_\; D_{i}\;\_\; D_{j}}\frac{\tau^{2}}{2}}}}}} & (8)\end{matrix}$BC_(test)

BC_(test) is the contribution of three faults occurring with particulartime constraints: the first and the second faults F1, F2 have to occurwithin the same time interval [(n−1)τ, nτ] while the third fault F3 hasto occur after t_(F3)>nτ. The order of occurrence of the first andsecond faults F1, F2 can be reversed. FIG. 7 shows the timeline of thesequence of the faults for this contribution. From the ProbabilityTheory, it is possible to evaluate the quantitative contribution to thePMHF of BC_(test) using Formula 9:

$\begin{matrix}{{{BC}_{test}( {\lambda_{F\; 1},\lambda_{F\; 2},\lambda_{F\; 3}} )} = {\lambda_{F\; 1}\lambda_{F\; 2}\lambda_{F\; 3}\tau^{2}\frac{T_{life}}{2}( {\frac{T_{life}}{\tau} - 1} )}} & (9)\end{matrix}$

Example: this is another possible way in which a DVF fault controlled bya FL-SM which is in turn monitored by a SL-SM (executing a test every τ)can cause a hazard, unrelated from the previous one.

If both first layer and second layer safety mechanisms are madeunavailable within the same test interval [(n−1)τ, nτ], then there willbe no possibility to be aware that the first layer safety mechanism isno longer working and so any fault occurring in P will not be covered,causing then the hazard. Formula 10 gives the overall BC_(test)contribution related to a part, its related first layer and second layersafety mechanisms in whole:

$\begin{matrix}{{{BC}_{test}( {\lambda_{{SL} - {SM}_{j}},\lambda_{{FL} - {{SM}_{i}\_\;{IVF}\;\_\; D_{j}}},\lambda_{P\; a\;\_\;{DVF}\;\_\; D_{i}\;\_\; D_{j}}} )}=={\sum\limits_{{F\;\_\; P_{n}} \in {\{{P\; a\;\_\;{DVF}\;\_\; D_{i}\_\; D_{j}}\}}}^{\;}{\quad{( {\sum\limits_{{{F\;\_\;{FL}} - {SM}_{m}} \in {\{{{FL} - {{SM}_{i}\_\;{IVF}\;\_\; D_{j}}}\}}}^{\;}( {\sum\limits_{{F\;\_\;{SM}_{k}} \in {\{{{SL} - {SM}_{j}}\}}}^{\;}{{BC}_{test}\mspace{225mu}( {\lambda_{{F\;\_\;{SL}} - {SM}_{k}},\lambda_{{F\;\_\;{FL}} - {SM}_{m}},\lambda_{F\;\_\; P_{n}}} )}} )} \rbrack=={\lambda_{{SL} - {SM}_{j}}\lambda_{{FL} - {{SM}_{i}\_\;{IVF}\;\_\; D_{j}}}\lambda_{P\; a\;\_\;{DVF}\;\_\; D_{i}\;\_\; D_{j}}\frac{\tau^{2}T_{life}}{2}( {\frac{T_{life}}{\tau} - 1} )}}}}} & (10)\end{matrix}$BC_(cascade)

BC_(cascade) is the contribution of three faults occurring with thefollowing sequence: a first fault F1 occurring in the interval [(m−1)τ,mξ], a second fault F2 occurring at t_(F2)∈[(n−1)τ, nτ], n>m, and athird fault F3 occurring at t_(F3)>nτ. FIG. 8 shows the timeline ofsequence of the fault generating this contribution. From the ProbabilityTheory, it is possible to evaluate the quantitative contribution to thePMHF of BC_(cascade) using Formula 11:

$\begin{matrix}{{{BC}_{cascade}( {\lambda_{F\; 1},\lambda_{F\; 2},\lambda_{F\; 3}} )} = {\lambda_{F\; 1}\lambda_{F\; 2}{\lambda_{F\; 3}( {\frac{T_{life}^{3}}{6} - {\frac{\tau}{2}T_{life}^{2}} + {\frac{\tau^{3}}{3}T_{life}}} )}}} & (11)\end{matrix}$

Example: this is again a possible way in which a DVF fault controlled bya FL-SM which is in turn monitored by a SL-SM (executing a test every τ)can cause a hazard, unrelated from the previous ones.

If the SL-SM is the first to be made unavailable (F1), any faultoccurring in FL-SM (F2) cannot be detected so that if the DVF faultoccurs (F3) it will cause the hazard. It is noted that the third faultF3 cannot occur in the interval [(n−1)τ, nτ] as the second fault F2otherwise BC_(cascade) will not be unrelated from BC_(tau). Formula 12gives the overall BC_(cascade) contribution related to a part, itsrelated first layer and second layer safety mechanisms in whole:

$\begin{matrix}{{{BC}_{cascade}( {\lambda_{{SL} - {SM}_{j}},\lambda_{{FL} - {{SM}_{i}{\_ IVF}{\_ D}_{j}}},\lambda_{P\;{a\_ DVF}{\_ D}_{i}{\_ D}_{j}}} )}=={\sum\limits_{{F\_ P}_{n} \in {\{{P\;{a\_ DVF}{\_ D}_{i}{\_ D}_{j}}\}}}^{\;}{\quad{\lbrack {\sum\limits_{{{F\_ FL} - {SM}_{m}} \in {\{{{FL} - {{SM}_{i}{\_ IVF}{\_ D}_{j}}}\}}}^{\;}( {\sum\limits_{{F\_ SM}_{k} \in {\{{{SL} - {SM}_{j}}\}}}^{\;}{{BC}_{cascade}( {\lambda_{{F\;\_\;{SL}} - {SM}_{k}},\lambda_{{F\_ FL} - {SM}_{m}},\lambda_{F\;\_\; P_{n}}} )}} )} \rbrack=={\lambda_{{SL} - {SM}_{j}}\lambda_{{FL} - {{SM}_{i}\_\;{IVF}\;\_\; D_{j}}}{\lambda_{P\;{a\_}\;{DVF\_ D}_{i}\;{\_ D}_{j}}( {\frac{T_{life}^{3}}{3} - {T_{life}^{2}\tau} + {\frac{2}{3}T_{life}\tau^{2}}} )}}}}}} & (12)\end{matrix}$BC_(2Layers)

In the case where both first layer and second layer safety mechanismsare carrying out detection only their total probability of leading to ahazard can be calculated as the combination of the 3 unrelated eventsBC_(tau), BC_(test) and BC_(cascade). Consequently, as the three basiclayers are used together, a new contribution (“BC_(2layers)”), describedin Formula 13, can be defined as their sum:BC_(2Layers)(λ_(F1),λ_(F2),λ_(F3))=BC_(tau)(λ_(F1),λ_(F2))++BC_(test)(λ_(F1),λ_(F2),λ_(F3))+BC_(cascade)(λ_(F1),λ_(F2),λ_(F3))  (13)Application of BCs

In a safety analysis process, the PMHF can be calculated by summing allthe combinations of basic contributions, related to all the disjoint orunrelated events that can cause a hazard derived from any kind of fault(either DVF or IVF) which may be covered by a FL-SM with control and/ordetection ability which, in turn, may or may not be monitored by aSL-SM.

Table 3 shows which basic contributions are taken into account toevaluate the PMHF for each set of DVF faults. IVF faults are consideredin Table 4. For a detailed description of the faults sets, please referagain to Table 2.

TABLE 3 ID Descriptive sets PMHF contribution 1 Pa_DVF_U_UBC_(single)(λ_(Pa) _(—) _(DVF) _(—) _(U) _(—) _(U)) 2 Pa_DVF_Di_UBC_(double) _(—) _(ord)(λ_(FL-SMi) _(—) _(IVF) _(—) _(U), λ_(Pa) _(—)_(DVF) _(—) _(Di) _(—) _(U)) 3 Pa_DVF_Di_Dj BC_(2Layers)(λ_(Pa) _(—)_(DVF) _(—) _(Di) _(—) _(Dj), λ_(FL-SMi) _(—) _(IVF) _(—) _(Dj),λ_(SL-SMj)) 4 Pa_DVF_Ci_U BC_(double) _(—) _(unord)(λ_(FL-SMi) _(—)_(IVF) _(—) _(U), λ_(Pa) _(—) _(DVF) _(—) _(Ci) _(—) _(U)) 5Pa_DVF_Ci_Dj BC_(2Layers)(λ_(Pa) _(—) _(DVF) _(—) _(Ci) _(—) _(Dj),λ_(FL-SMi) _(—) _(IVF) _(—) _(Dj), λ_(SL-SMj)) + BC_(double) _(—)_(ord)(λ_(Pa) _(—) _(DVF) _(—) _(Ci) _(—) _(Dj), λ_(FL-SMi) _(—) _(IVF)_(—) _(Dj)) 6 FL-SMi_DVF_U BC_(single)(λ_(FL-SMi) _(—) _(DVF) _(—) _(U))7 FL-SMi_DVF_Dj BC_(double) _(—) _(ord)(λ_(SL-SMj), λ_(FL-SMi) _(—)_(DVF) _(—) _(Dj)) 8 FL-SMi_IVF_U NONE: effect of these faults is takeninto account when 9 FL-SMi_IVF_Dj evaluating contributions due to thepart covered by the SM, then no direct contribution to PMHF from them 10SL-SMj NONE: assumption is that a SL-SMj is not able to create a hazard.

The term “BC_(double_ord)(λ_(Pa__DVF_Ci_Dj), λ_(FL-SMi_IVF_Dj))” in ID 5is needed because of the control-only ability of FL-SMi. If a faultoccurs in Pa, then it is controlled but not notified by FL-SMi. If,after that, a fault makes FL-SMi unavailable, the hazard is createdindependently of SL-SMj. A conservative assumption is that FTT for DVFis 0.

Examples provided in the description of the basic contributionshereinbefore described are sufficient to explain the other items inTable 3.

Referring to FIG. 9, in an FTA approach, the contribution to the PMHFdue to two independent IVF faults is evaluated by multiplying (i.e.combining through an AND gate) the results of the two branches relatedto the two faults. As a result of the similarity between the FTAapproach and the approach herein described, it is possible by extensionto compute the contribution from IVF faults as set out in Table 4.

TABLE 4 Descriptive sets of faults PMHF contribution Notes Pa_IVF_U_U0.5 * BC_(single)(λ_(Pa) _(—) _(IVF) _(—) _(U) _(—) _(U)) * K_(Pb)K_(Pb) = BC_(single)(λ_(Pb) _(—) _(IVF) _(—) _(U) _(—) _(U)) + +Pa_IVF_Ci_U 0.5 * BC_(double) _(—) _(unord)(λ_(FL-SMi) _(—) _(IVF) _(—)_(U), BC_(double) _(—) _(ord)(λ_(FL-SMh) _(—) _(IVF) _(—) _(U) _(—)_(U), λ_(Pa) _(—) _(IVF) _(—) _(Ci) _(—) _(U)) * K_(Pb) λ_(Pb) _(—)_(IVF) _(—) _(Dh) _(—) _(U)) + Pa_IVF_Ci_Dj 0.5 * [BC_(2Layers)(λ_(Pa)_(—) _(IVF) _(—) _(Ci) _(—) _(Dj), BC_(double) _(—) _(unord)(λ_(Pb) _(—)_(IVF) _(—) _(Ch) _(—) _(U), λ_(FL-SMh) _(—) _(IVF) _(—) _(U)) +λ_(FL-SMi) _(—) _(IVF) _(—) _(Dj), λ_(SL-SMj)) + BC_(2Layers)(λ_(Pb)_(—) _(IVF) _(—) _(Dh) _(—) _(Dv), λ_(FL-SMh) _(—) _(IVF) _(—) _(Dv),BC_(double) _(—) _(ord)(λ_(Pa) _(—) _(IVF) _(—) _(Ci) _(—) _(Dj),λ_(FL-SMi) _(—) _(IVF) _(—) _(Dj))]* λ_(SL-SMv)) + K_(Pb)BC_(2Layers)(λ_(Pb) _(—) _(IVF) _(—) _(Ch) _(—) _(Dv), λ_(FL-SMh) _(—)_(IVF) _(—) _(Dv), Pa_IVF_Di_U 0.5 * BC_(double) _(—) _(ord)(λ_(FL-SMi)_(—) _(IVF) _(—) _(U), λ_(SL-SMv)) + + λ_(Pa) _(—) _(IVF) _(—) _(Di)_(—) _(U)) * K_(Pb) BC_(double) _(—) _(ord)(λ_(Pb) _(—) _(IVF) _(—)_(Ch) _(—) _(Dv), λ_(FL-SMh) _(—) _(IVF) _(—) _(Dv)) Pa_IVF_Di_Dj 0.5 *BC_(2Layers)(λ_(Pa) _(—) _(IVF) _(—) _(Di) _(—) _(Dj), λ_(FL-SMi) _(—)_(IVF) _(—) _(Dj), λ_(SL-SMj)) * K_(Pb)

In Table 4, indices ‘h’ and ‘v’ are used to address the FL-SM and theSL-SM respectively related to part P_(b). Bearing this change in mind,Table 2 can still be used to describe sets of faults related to partP_(b).

In Table 4, each formula contains a factor 0.5. This is introduced toavoid an overestimation of contributions due to IVF faults. Consideringthe example of the above table, the overall contribution to the PMHF dueto IVF faults in parts P_(a) and P_(b)(K_(Pa_Pb)) is:K _(Pa_Pb) =K _(IVF_a) ·K _(IVF_b)

It can be easily seen that summing all contributions related to Pa(column “PMHF contribution” in the Table 4), the result (K_(IVF_a)) is:K _(IVF_a)=0.5·K _(Pa) ·K _(Pb)

Such a sum is also done for P_(b) (K_(IVF_b)) to obtain also:K _(IVF_b)=0.5·K _(Pb) ·K _(Pa)

The overall contribution can then be evaluated as:K _(Pa_Pb) =K _(IVF_a) +K _(IVF_b)=0.5·K _(Pa) ·K _(Pb)+0.5·K _(Pb) ·K_(Pa) =K _(Pa) ·K _(Pb)

Referring to Table 4 above, in the case of IVF, there is a bigger FTTthan in the case of DVF and, in the majority of the cases, this is suchthat the SL-SM is just able to detect unavailability of FL-SM. Bydetecting unavailability of the FL SM, the hazard is avoided and so thiscontribution can be neglected and the introduction of the term“BC_(double_ord)(λ_(Pa_IVF_Ci_Dj), λ_(FL-SMi_IVF_Dj))” in this case iseven more conservative than for the DVF one.

Referring still to Table 4, the formula for K_(Pb) in the column “Notes”has been written in its most generic way, considering all the possiblecombination of SMs (both FL and SL type) acting on its IVF faults. It isnoted that if a set of faults is not present in the part P_(b), therelated portion of FIT is 0 as well as the associated BC.

If, for instance, in part P_(b), there are no faults detected by aFL-SM, both λ_(Pb_IVF_Dh_U) and λ_(Pb_IVF_Dh_Dv) are equal to 0 andconsequently are equal to 0 also the BCs using those λ(BC_(double_ord)(λ_(FL-SMh_IVF_U_U), λ_(Pb_IVF_Dh_U)),BC_(2Layers)(λ_(Pb_IVF_Dh_Dv), λ_(FL-SMh_IVF_Dv), λ_(SL-SMv))). Once allthe basic contributions have been evaluated for the whole design, it ispossible to compute the total PMHF value by summing all the basiccontributions, as set out in Formula 14 where K_(IVF) takes into accountcontributions due to parts affected by IVF faults:PMHF=ΣBC_(single)+ΣBC_(double_ord)+ΣBC_(double_unord)+ΣBC_(2Layers)+ΣBC_(IVF)  (14)Integration into Safety Analysis Flow

Referring to FIG. 10, a process of determining a PMHF value is shown.The process includes deriving values of λ for second layer safetymechanisms (step S8.1), deriving values of λ for first layer safetymechanisms (step S8.2), values of λ for parts (step S8.3), determiningbasic contributions from first layer safety mechanisms (step S8.4),determining basic contributions from parts (step S8.5 determining PMHFcontributions dues to IVF faults (step S8.6) and calculating PMHF (stepS8.7).

As hereinbefore described, the actual PMHF evaluation is done using setsof faults that differ from the ones described in Table 2. Beforedescribing the process in detail, a description of the sets of faultswill first be described:

TABLE 5 Used Actual sets of descriptive ID faults Description PMHFcontribution sets 1 Pa_DVF_U set of DVF faults in P_(a)BC_(single)(λ_(Pa) _(—) _(DVF) _(—) _(U)) Pa_DVF_U_U not covered by anySM 2 Pa_DVF_Di set of DVF faults in P_(a) BC_(2Layers)(λ_(Pa) _(—)_(DVF) _(—) _(Di), λ_(FL-SMi) _(—) _(IVF) _(—) _(Dj), Pa_DVF_Di_Dj +detected (and λ_(SL-SMj)) + Pa_DVF_Di_U controlled) by FL-SMiBC_(double) _(—) _(ord)(λ_(FL-SMi) _(—) _(IVF) _(—) _(U), which could beλ_(Pa) _(—) _(DVF) _(—) _(Di)) (partially) covered by SL-SMj 3 Pa_DVF_Ciset of DVF faults in P_(a) BC_(2Layers)(λ_(Pa) _(—) _(DVF) _(—) _(Ci),λ_(FL-SMi) _(—) _(IVF) _(—) _(Dj), Pa_DVF_Ci_Dj + controlled-only by FL-λ_(SL-SMj)) + Pa_DVF_Ci_U SMi which could be BC_(double) _(—)_(ord)(λ_(Pa) _(—) _(DVF) _(—) _(Ci), λ_(FL-SMi) _(—) _(IVF) _(—)_(Dj)) + (partially) covered by BC_(double) _(—) _(unord)(λ_(Pa) _(—)_(DVF) _(—) _(Ci), λ_(FL-SMi) _(—) _(IVF) _(—) _(U)) SL-SMj 4 Pa_IVF_Uset of IVF faults in P_(a) [BC_(single)(λ_(Pa) _(—) _(IVF) _(—) _(U)) *K_(Pb)]/2 Pa_IVF_U_U not covered by any SM 5 Pa_IVF_Di set of IVF faultsin P_(a) [BC_(2Layers)(λ_(Pa) _(—) _(IVF) _(—) _(Di), λ_(FL-SMi) _(—)_(IVF) _(—) _(Dj), Pa_IVF_Di_Dj + detected by FL-SMi λ_(SL-SMj)) +Pa_IVF_Di_U which could be BC_(double) _(—) _(ord)(λ_(FL-SMi) _(—)_(IVF) _(—) _(U), (partially) covered by λ_(Pa) _(—) _(IVF) _(—)_(Di))] * K_(Pb)/2 SL-SMj 6 Pa_IVF_Ci set of IVF faults in P_(a)[BC_(2Layers)(λ_(Pa) _(—) _(IVF) _(—) _(Ci), λ_(FL-SMi) _(—) _(IVF) _(—)_(Dj), Pa_IVF_Ci_Dj + controlled-only by FL- λ_(SL-SMj)) + Pa_IVF_Ci_USMi which could be BC_(double) _(—) _(ord)(λ_(Pa) _(—) _(IVF) _(—)_(Ci), λ_(FL-SMi) _(—) _(IVF) _(—) _(Dj)) + (partially) covered byBC_(double) _(—) _(unord)(λ_(Pa) _(—) _(IVF) _(—) _(Ci), λ_(FL-SMi) _(—)_(IVF) _(—) _(U))] * SL-SMj K_(Pb)/2 7 FL-SMi_DVF_U set of DVF faults inBC_(single)(λ_(FL-SMi) _(—) _(DVF) _(—) _(U)) FL-SMi_DVF_U FL-SMi notdetected by any SM 8 FL-SMi_DVF_Dj set of DVF faults in BC_(double) _(—)_(ord)(λ_(SL-SMj), _(λFL-SMi) _(—) _(DVF) _(—) _(Dj)) FL-SMi_DVF_DjFL-SMi detected by SL-SMj 9 FL-SMi_IVF_U set of IVF faults in FL- NONE -effect of these faults is FL-SMi_IVF_U SMi not detected by taken intoaccount when any SM evaluating contributions due 10 FL-SMi_IVF_Dj set ofIVF faults in FL- to the part covered by the SM, FL-SMi_IVF_Dj SMidetected by SL- then no direct contribution to SMj PMHF from them. 11SL-SM all faults affecting SL- NONE - assumption is that a SL-SMj SMjSL-SMj is not able to create a hazard.

In Table 5, the last column is meant to help in understanding formulasproposed to evaluate PMHF contributions. It shows which descriptive sets(used in Table 2) make up the actual sets of faults. Furthermore, whenan actual set consists of two descriptive sets, the formulas in thefourth are written with two different font styles (normal and italics)to distinguish terms related to different descriptive sets. The samenotation is used in the last column to help link formulas and sets, i.e.a formula written in italics in the penultimate column is related to thedescriptive set in italics in the last column.

The following steps are built using Table 5 as a reference. If a set offaults is not present in a part (or a FL-SM), then the correspondingportion of FIT and, thus, the associated basic contribution is zero.

Derive λ Derivation for SL-SMs (Step S8.1)

Referring to FIG. 10, the process determines the portion of the FITassociated with the second layer safety mechanisms provided in thedesign. Because one of the assumptions used to develop the model is thatmisbehaviours of such a safety mechanism are not able to directly createa hazard, the FIT associated to a given SL-SM (SL-SM_(j)) is added infull to λ_(SL-SMj) (steps S8.1.1 to S8.1.7).

Derive λ for FL-SMs (Step S2)

Referring to FIG. 11, the process determines the portion of the FITassociated with the first layer safety mechanisms (steps S8.2.1 toS8.2.14). It is a reasonable assumption that at least some of thesesafety mechanisms have the potential to directly create a hazard. Forthis reason, a first check is executed on these first layer safetymechanisms to identify a fault affecting a given SM (FL-SMi) is DVF orIVF (step S8.2.3). A second check is carried out to see if the fault iscovered by a safety mechanism (step S8.2.4). When a fault is found to becovered by a safety mechanism, a link between the FL-SM and the SL-SM isestablished (steps S8.2.5 & S8.2.10). This link is stored in lambdaclassification data 47 (FIG. 19) at least temporarily in working memory48 (FIG. 19). This link allows for addressing the correct portions ofFIT to be used in the formulas when basic contributions are evaluated.When a fault is found to be covered by more than one safety mechanism,the link is issued only with the highest ranked one.

As result of these checks the FIT of the safety mechanism is split inthe following different (i.e. disjointed) sets, namely λ_(FL-SMi_DVF_U),λ_(FL-SMi_DVF_Cj), λ_(FL-SMi_IVF_U) and λ_(FL-SMi_IVF_Cj). Because it isassumed that a second layer safety can only detect faults (and notcontrol them, then there no need to distinguish if a fault in a firstlayer safety mechanism is control-only or is also capable of detection.

Derive λ for Parts (Step S8.3)

Referring to FIG. 12, the process determines the portion of the FITassociated with the parts (steps S8.3.1 to S8.3.18).

Derivation of λ for parts is similar to derivation of λ for first layersafety mechanisms, the main difference being that a distinction is madebetween faults that are controlled-only and faults that are alsodetected. Thus, the process checks whether fault is controlled-only(steps S8.3.6 & S8.3.13).

As for derivation of λ for first layer safety mechanisms, a link iscreated between the part and the safety mechanism cover its faults(steps S8.3.5 & S8.3.12). Similarly, when a fault is found to be coveredby more than one safety mechanism, the link is issued only with thehighest ranked one.

At the end of this step the following set of λ are available, namelyλ_(Pn_DVF_U), λ_(Pn_DVF_Di), λ_(Pn_DVF_Ci), λ_(Pn_IVF_U), λ_(Pn_IVF_Di),and λ_(Pn_IVF_Ci). Steps S1 to S3 can be carried out in a differentorder and that one or more of the steps may be modified.

Determine Basic Contributions from FL-SMs (Step S8.4)

Referring to FIG. 13, once sub-sets of FIT have been derived for theparts and safety mechanisms of the electronic system (such as amicrocontroller), the process determines the PMHF contributions due toDVF faults in safety mechanism (steps S8.4.1 to S8.4.4). A contributiondue to DVF faults for an i^(th) safety mechanism is labelled K_(SM_i).If the i^(th) safety mechanism SMi is not affected by DVF faults, thenK_(SM_i)=0.

Once K_(SM_i), is evaluated, it is used directly in the formula for thecomputation of the PMHF.

According to Table 3, only contribution due to DVF faults are consideredfor first layer safety mechanisms. The ones due to their IVF faults willbe considered directly during the analysis of the parts covered by thesafety mechanism itself.

Determine Basic Contributions from Parts (Step S8.5)

Referring to FIG. 14, the process determines contributions to PMHF dueto IVF and DVF faults affecting a given part P_(n) (steps S8.5.1 toS8.5.7).

Outputs of this step are:

-   K_(DVF_n): The contribution due to DVF faults; if P_(n) has no DVF    fault then K_(DVF_n)=0; K_(DVF_n), once evaluated, is used directly    in the formula for the computation of the PMHF; and-   K_(IVF_n): The contribution due to IVF faults; if P_(n) has no IVF    fault, then K_(IVF_n)=0. Prior to using K_(IVF_n) in the formula for    the computation of the PMHF it is necessary to perform another step    of evaluation.

The terms “ΣBC_(double_unord)(λ_(Pn_IVF_Ci), λ_(FL-SMi_IVF_U))” and“ΣBC_(2Layers)(λ_(Pn_IVF_Di), λ_(FL-SMi_IVF_Dj), λ_(SL-SMj))” areevaluated as set out in Formulas 15 and 16 respectively. The sets of FITused in the example are described in Table 6:

TABLE 6 ID Set of FIT Related to 1 λPn_IVF_U IVF faults in Pn notcovered by any SM 2 λPn_IVF_C1 IVF faults in Pn controlled-only byFL-SM1 3 λPn_IVF_C2 IVF faults in Pn controlled-only by FL-SM2 4λPn_IVF_D3 IVF faults in Pn detected by FL-SM3 5 λPn_IVF_D4 IVF faultsin Pn detected by FL-SM4 6 λPn_IVF_D5 IVF faults in Pn detected byFL-SM5 7 λFL-SM1_IVF_U IVF faults in FL-SM1 not detected by any SM 8λFL-SM1_IVF_D1 IVF faults in FL-SM1 detected by SL-SM1 9 λFL-SM2_IVF_UIVF faults in FL-SM2 not detected by any SM 10 λFL-SM3_IVF_U IVF faultsin FL-SM3 not detected by any SM 11 λFL-SM3_IVF_D2 IVF faults in FL-SM3detected by SL-SM2 12 λFL-SM3_IVF_D3 IVF faults in FL-SM3 detected bySL-SM3 13 λFL-SM4_IVF_U IVF faults in FL-SM4 not detected by any SM 14λFL-SM4_IVF_D1 IVF faults in FL-SM4 detected by SL-SM1 15 λFL-SM5_IVF_UIVF faults in FL-SM5 not detected by any SM 16 λSL-SM1 all faultsaffecting SL-SM1 17 λSL-SM2 all faults affecting SL-SM2 18 λSL-SM3 allfaults affecting SL-SM3ΣBC_(double_unord)(λ_(Pn_IVF_Ci),λ_(FL-SMi_IVF_U))==BC_(double_unord)(λ_(Pn_IVF_C1),λ_(FL-SM1_IVF_U))++BC_(double_unord)(λ_(Pn_IVF_C2),λ_(FL-SM2_IVF_U))  (15)ΣBC_(2Layers)(λ_(Pn_IVF_Di),λ_(FL-SMi_IVF_Dj),λ_(SL-SMj))==BC_(2Layers)(λ_(Pn_IVF_D3),λ_(FL-SM3_IVF_D2),λ_(SL-SM2))++BC_(2Layers)(λ_(Pn_IVF_D3),λ_(FL-SM3_IVF_D3),λ_(SL-SM3))++BC_(2Layers)(λ_(Pn_IVF_D4),λ_(FL-SM4_IVF_D1),λ_(SL-SM1))  (16)Determining PMHF Contribution Due to IVF Faults (Step S8.6)

Referring to FIG. 15, the process determines contributions to PMHF dueto IVFs (steps S8.6.1 to S8.6.7). In the case of IVFs, each of twoconcurrent parts are identified to evaluate properly the PMHFcontribution. A first part P_(A) is concurrent with a second part P_(B)if IVFs affecting P_(A) are needed in order that IVFs in P_(B) lead to aviolation of a safety goal. Concurrency is commutative so that if thefirst part P_(A) is concurrent with the second part P_(B), then thesecond part P_(B) is concurrent with the first part P_(A).

This step determines whether a part provides a safety mechanism andadjust the contribution according to whether the part provides a safetymechanism or not. If the part does not provide a safety mechanism, thenthere is no contribution; if the part does provide a safety mechanismthen the contribution is reduced by a factor of 0.5.

In the safety analysis process, IVF concurrent parts are identifiableusing a “IVF_concurrent” attribute 49 in element characterisation 17(FIG. 21) of part-level analysis report 10 (FIG. 18).

In some cases, it may not be possible to identify a concurrent part. Forexample, if fault impact is manually estimated, then it is assumed thata fault cannot create a hazard on its own and, in a conservative way, ifthe fault is not categorized as NVF, then the fault becomes IVF. Forsuch cases, the process allows for the identification of a “worst IVFpart”, in short, P_(g), of the design.

The process first derives K_(Pg) (step S8.6.1) which is the contributionof all the IVF faults affecting the part and which is considered to beone of the independent branches needed to evaluate the contribution tothe PMHF due to IVF faults.

The process then selects P_(g) being, among the P_(n) parts with IVFfaults and blank “IVF_concurrent” attribute, the one with the highestK_(IVF_n) (steps S8.6.3 & S8.6.4). Faults in part P_(g) are thenconsidered to be concurrent with the IVF faults whose parent part has ablank entry in “IVF_concurrent” attribute (step S8.6.3)

There are two possibilities, namely (1) the part is clearly linked toanother part through the attribute “IVF_concurrent” 17 (FIG. 21) inelement characterisation 17 (FIG. 21); or (2) the part is not linked toany other parts and its related attribute “IVF_concurrent” 17 (FIG. 21)in element characterisation 17 (FIG. 21) is left blank.

In the first case, the calculation is straight forward and it is onlyneeded to combine the basic contributions, evaluated during the previousstep, of the two concurrent parts (steps S8.6.3, S8.6.8 and stepS8.6.10; marked by arrow A). In the second case, evaluation of thecontribution to the PMHF requires an additional step, namely selectionof the “worst IVF part” (step S6.1).

For a part with a blank “IVF_concurrent” attribute 17 (FIG. 21) inelement characterisation 17 (FIG. 21), K_(IVF_n) will be calculatedassociating P_(n) to the worst IVF part P_(g) (whose selection will begiven later on). Otherwise, the concurrent branch is evaluated followingthe link expressed in the “IVF_concurrent” attribute 17 (FIG. 21) inelement characterisation 17 (FIG. 21).

The check “n=g?” (step S8.6.4) allows for skipping the contribution dueto IVF faults affecting the part if the part under analysis is the oneclassified as “worst IVF part”.

The reason for introducing this step will now be explained.

Analysis of P_(g) should provide the contribution:

$K_{{IVF}\;\_\; g} = {{\sum\limits_{{all\_ possible}{\_ g}^{*}}^{\;}{0.5 \cdot K_{{IVF\_ g}{\_ side}} \cdot K_{{IVF\_ g}^{*}}}} = {\sum\limits_{k}^{\;}{0.5 \cdot K_{Pg} \cdot K_{{IVF\_ g}{\_ side}}}}}$where values of k are such that P_(K) is a part linked to P_(g), whileeach one of the part associated to P_(g) should provideK _(IVF_k)=0.5·K _(IVF_k_side) ·K _(IVF_k*)=0.5·K _(IVF_k_side) ·K _(Pg)

So that the overall contribution of P_(g) and all the parts associatedto it can be easily found, K_(Pg_Pk) is:

$K_{Pg\_ Pk} = {{K_{IVF\_ g} + {\sum\limits_{k}^{\;}K_{IVF\_ k}}} = {\sum\limits_{k}^{\;}{K_{Pg} \cdot K_{{IVF\_ k}{\_ side}}}}}$

To evaluate K_(Pg), the process should ideally keep track of every partassociated to P_(g). This, however, requires processing resources. Thus,an easier solution can be used whereby the overall K_(Pg_Pk) is simplyestimated. Because of the check “n=g?” the adopted solution provides aK′_(IVF_g)=0, while following a series of steps S6.4 & S6.9 (marked byarrow B), it gives:

$K_{IVF\_ k}^{\prime} = {K_{{IVF\_ k}{\_ side}} = {\frac{K_{{IVF\_ k}{\_ side}} \cdot K_{{IVF\_ k}^{*}}}{2} = {\frac{K_{{IVF\_ k}{\_ side}} \cdot 2 \cdot K_{Pg}}{2} = {K_{{IVF\_ k}{\_ side}} \cdot K_{Pg}}}}}$

The overall contribution of P_(g) and all the parts associated to itevaluated with this different approach (K′_(Pg_Pk)) can be calculated tobe exactly equal to the one previously calculated, namely:

$K_{Pg\_ Pk}^{\prime} = {{K_{IVF\_ g}^{\prime} + {\sum\limits_{k}^{\;}K_{IVF\_ k}^{\prime}}} = {{0 + {\sum\limits_{k}^{\;}{K_{{IVF\_ k}{\_ side}} \cdot K_{Pg}}}} = K_{Pg\_ Pk}}}$Calculating PMHF (step S8.7)

Referring to FIG. 16, the process calculates the PMHF (step S8.7). Thisdone by summing all the contributions K_(SM_i), K_(DVF_n) andK_(IVF_ne).

Design Support System 1

Referring to FIG. 17, a design support system 1 for generatingfunctional safety data for an electronic component, such as amicrocontroller, is shown.

The design support system 1 includes a developer safety analysis system2, a customer safety analysis system 3 and a shared database 4 thatstores safety data including a customisable analysis report 6 and faultlists 7 which are used to prepare the customisable analysis report 6.

The customisable analysis report 6 includes analysis configuration data8, an analysis report 9, a part-level analysis report 10 and a safetymechanism report 11. The analysis report 9 includes fault impactanalysis data 12, fault coverage analysis data 13, lambda values 14 andhardware metric values and probabilistic metric for random hardwarefailure (PMHF) values 15. The part-level analysis report 10 includes alist of elements 16, element characterisation data 17 and faultdependent analysis 18. As shown in FIG. 18, the fault dependent analysis18 comprises fault impact analysis data 12 and fault coverage analysisdata 13. The fault lists 7 include a fault impact analysis fault list 19and a fault coverage analysis fault list 20. The customisable analysisreport 6 and/or fault lists 7 may be stored in the forms of a set oftables.

The fault impact analysis data 12 and fault coverage analysis data 13need not be included in the analysis report 9. Likewise, the faultimpact analysis data 12 and fault coverage analysis data 13 need not beincluded in the part-level analysis report 10.

The fault impact analysis data 12 and fault coverage analysis data 13can be stored separately from the analysis report 9 and/or part-levelanalysis report 10. The fault impact analysis data 12 and fault coverageanalysis data 13 can be duplicated (e.g. by mirroring) and stored in oneof or both the analysis report 9 and/or part-level analysis report 10.

The design support system 1 also includes a set of developer databases21, 22, 23.

Lambda classification data 47 may be stored in the safety database 4.The lambda classification data 47 may be included in the customisableanalysis report 6.

A developer can generate the customisable analysis report 6 whendesigning an electronic component, such as a microcontroller. Thedeveloper and/or the customer may change the analysis configuration data8, fault impact analysis data 12 and fault coverage 13 and inspect theeffect of doing so on the lambda values 14 and hardware metric valuesand PMHF values 15.

Some parts of the customisable analysis report 6 may be visible to thedeveloper, but not the customer. Some parts of the customisable analysisreport 6 may be visible, but not changeable by the customer. Some partsof the customisable analysis report 6 may be changeable by the customer,but the customer may be limited to making changes to values lying inranges or having specific values specified by the developer. Limitingthe customisable analysis report 6 in one or more of these ways can helpto prevent the customer from making unexpected or invalid changes.

The design support system 1 may take the form of a database and adatabase management system. The customisable analysis report 6 may bestored in the form of spreadsheets and text files.

FIG. 19 illustrates the developer side of the design support system 1 inmore detail.

Referring to FIG. 19, the design support system 1 includes a set ofdeveloper databases 21, 22, 23 including a design database 21, a faultlist database 22 and an assumptions database 23. The design database 21stores a description 24 of a design of an electronic component, forexample in the form of a pre-layout, gate level net list which includessize information. However, the description 24 may include additionalinformation about layout, such as distance between logic blocks. Layoutinformation may be used to identify bridge faults. The description 24may include information at a higher or lower level of abstraction. Thedescription 24 may include information from more than one level ofabstraction.

The fault list database 22 stores a list of possible faults 25. Thefault list 25 may take the form of a table, for example in a spreadsheetor text file, listing possible faults, such as “stuck at 0” or “stuck at1”.

The assumptions database 23 stores assumptions 26 about how theelectronic component will be used. The assumptions 26 may take the formof a table, for example a spreadsheet or text file, listing assumptions,such as “Assumption 1: System is using an external watchdog that willgenerate a reset if not cleared every 10 milliseconds”.

The developer safety analysis system 2 includes modules 27, 27, 29, 30,30, 32, 46 for generating the customisable analysis report 6. Thedeveloper safety analysis system 2 includes a design partitioning module27, a fault probabilistic characterisation module 28, a fault impactanalysis module 29, a safety mechanism analysis module 30, a faultcoverage analysis module 31, a safety parameter generation module 32 anda PMHF generation module 46.

The design support system 1 allows a developer and customer tocollaborate during development of an electronic component. Using thesystem 1 and the processes described herein, a systematic approach canbe followed to quantify the safety capabilities of an electroniccomponent and assess its development. The design support system 1 canspeed up process of designing the electronic component.

FIG. 21 shows element characterisation data 17 in more detail.

Referring to FIG. 21, the element characterisation data 17 includes aset of entries 70 for elements, each entry 70 including a firstattribute field 71 containing an element identifier (ID) and a secondattribute field 72 containing an element name, a third attribute field73 containing an indicator marking whether or not a part is relevant tosafety, a fourth attribute field 74 containing a fault characterisationname, a fifth attribute field 75 35 containing a failure ratecharacteristic name and a sixth attribute field 49 containing theidentifier or name of another element to which the element is linked or,if there is no link, the attribute is flagged as such (herein referredto being as “blank”), for example, by being set to a null value or adummy value.

The element characterisation data 17 can also include size informationrelating to the element.

The element characterisation data 17 is stored in the safety database 4(FIG. 18) as a section in the part-level analysis report 10.

Overview of Safety Analysis

Referring to FIGS. 18, 19, 20 and 22, an overall approach to analysingfunctional safety capabilities of an electronic component is shown.Herein, the example of a microcontroller will be used. However, theapproach may be applied to other types of integrated circuits such assystem-on-a-chip (SoC), memory, application-specific integrated circuit(ASIC), analog IC, mixed signal IC and power IC, as well as otherelectronic components. The approach may be applied to electronic systemswhich comprise a plurality of electronic components.

A design 51 for an electronic component, in this example amicrocontroller, is prepared (step S1).

The design 51 is partitioned to define elements 52 which include parts52 ₁, such as CPU cores, embedded memory and communication units, andsub-parts 52 ₂, such as macros and digital standard cell blocks (stepS2).

Once the elements 52 have been identified, physical defects with thepotential to affect each element 52 are identified and each element 52is characterised by allocating a failure rate, measured in units offailures in time (FIT) (which is the number of failures expected per 109device-hours of operation), to the element 52, by assigning one or morefault models to the element 52 and, if there is more than one faultmodel, by assigning a distribution of a failure rate between thedifferent fault models (step S3).

Safety mechanisms, such as self-checking logic or loop back logic,embedded in the microcontroller or which are assumed to be outside themicrocontroller, are identified and their properties are investigated(step S4). As will be explained in more detail later, a safety mechanismcan be implemented fully in hardware, fully in software or using bothhardware and software, or be provided outside the microcontroller. Oncethe safety mechanisms have been identified, the overall effectiveness ofsafety mechanisms is determined (step S5).

Independent of any consideration of safety mechanisms, the impact offaults on elements 52 is determined (step S6). As will be explained inmore detail later, assumptions about the usage of the microcontrollercan be made.

Once fault coverage and fault impact have been evaluated, faultclassification is undertaken which yields failure rates and hardwaremetrics for the microcontroller (step S7).

The results 14, 15 are output in a report 6 and stored in the safetydatabase 4. As will be described in more detail later, the report 6 iscustomisable. The developer and/or customer can change input parametersto see how the results 14, 15 change.

Probability of safety goal violations due to random hardware failurescan be evaluated (step S8). As explained earlier, values of PMHF can beobtained using FMEA-like analysis.

A check can be made of results compliance against quantitative targets(step S9). This includes checking hardware metrics values andprobabilistic metric for random hardware failure (PMHF)/cut-set methodsagainst defined targets to check for plausibility and compliance.Interaction between on-chip modules can be analysed (step S10).

A review of the safety analysis, hardware metric values and PMHF/cut-setresults is made (step S11). The design may be updated (step S12) and theprocess repeated until a satisfactory design is realized.

Further details of the system can be found in EP 2 757 476 A2 which isincorporated herein by reference. Like features herein and in EP 2 757476 A2 are denoted by like reference numerals.

MODIFICATIONS

It will be appreciated that various modifications may be made to theembodiments hereinbefore described. Such modifications may involveequivalent and other features which are already known in the design,manufacture and use of safety analysis systems and component partsthereof and which may be used instead of or in addition to featuresalready described herein. Features of one embodiment may be replaced orsupplemented by features of another embodiment.

Although claims have been formulated in this application to particularcombinations of features, it should be understood that the scope of thedisclosure of the present invention also includes any novel features orany novel combination of features disclosed herein either explicitly orimplicitly or any generalization thereof, whether or not it relates tothe same invention as presently claimed in any claim and whether or notit mitigates any or all of the same technical problems as does thepresent invention. The applicants hereby give notice that new claims maybe formulated to such features and/or combinations of such featuresduring the prosecution of the present application or of any furtherapplication derived therefrom.

The invention claimed is:
 1. A method of determining a probabilisticmetric for random hardware failure for an electronic system whichcomprises elements and safety mechanisms, the safety mechanismsincluding first layer safety mechanisms and second layer safetymechanisms, wherein a first layer safety mechanism may provide at leastpartial coverage of failure of a part and a second layer safetymechanism provides at least partial coverage of failure of a first layersafety mechanism, the method comprising: calculating a first set ofprobabilities associated with the first layer safety mechanisms, whereincalculating the first set of probabilities comprises, for each firstlayer safety mechanism: calculating a contribution due to a directviolation fault in a first layer safety mechanism and contributions dueto combinations of a first fault occurring in a second layer safetymechanism and a later second, direct violation fault occurring in thefirst level safety mechanism, wherein the direct violation fault in thefirst layer safety mechanism is covered by the second layer safetymechanism; calculating a second set of probabilities associated withdirect violation faults in the parts; calculating a third set ofprobabilities associated with indirect violation faults in the parts;and obtaining the value of probabilistic metric for random hardwarefailure in dependence on the first, second and third sets ofprobabilities.
 2. The method of claim 1, wherein obtaining the value ofprobabilistic metric for random hardware failure includes adding thefirst, second and third sets of probabilities.
 3. The method of claim 2,wherein obtaining the value of probabilistic metric for random hardwarefailure includes dividing by an estimated life time of the system. 4.The method of claim 1, further comprising: identifying a fourth set ofprobabilities associated with the second layer safety mechanisms,wherein obtaining the value of probabilistic metric for random hardwarefailure including adding the first, second, third and fourth sets ofprobabilities or wherein the first and second sets of probabilitiesinclude the fourth set of probabilities.
 5. The method of claim 1,wherein the value probabilistic metric for random hardware failure isobtained in accordance with parts 1 to 10 of the 1^(st) edition of ISO26262 standard.
 6. The method of claim 1, further comprising, for eachfirst layer safety mechanism: determining whether a fault affecting afirst layer safety mechanism is a direct violation fault or an indirectviolation fault; determining whether the fault is covered by a secondlayer safety mechanism; and in dependence upon the fault being coveredby the second layer safety mechanism, establishing a link between thefirst layer safety mechanism and the second layer safety mechanism. 7.The method of claim 1, further comprising, for each element: determiningwhether a fault affecting an element is a direct violation fault or anindirect violation fault; determining whether the fault is covered by afirst layer safety mechanism; and in dependence upon the fault beingcovered by the first layer safety mechanism, establishing a link betweenthe part and the first layer safety mechanism.
 8. The method of claim 1,wherein calculating the second set of probabilities comprises, for eachpart: determining whether the part has one or more direct violationfaults and, upon a positive determination, calculating a contributiondue to the direct violation fault(s); and determining whether the parthas one or more indirect violation faults and, upon a positivedetermination, calculating a contribution due to indirect violationfault(s).
 9. The method of claim 1, wherein calculating the second setof probabilities comprises: summing probabilities for a set of differentfault and safety mechanism failure scenarios caused by direct violationfault(s).
 10. The method of claim 1, wherein calculating the second setof probabilities comprises: summing probabilities for a set of differentfault and safety mechanism failure scenarios caused by indirectviolation fault(s).
 11. The method of claim 1, wherein calculating thethird set of probabilities comprises, for each part: determining whetherthe part is linked to another part; determining a contribution to theprobabilistic metric for random hardware failure due to indirectviolation faults for the part and the other part.
 12. The method ofclaim 1, wherein the electronic system is an integrated circuit or aplurality of electronic components.
 13. A method of generatingfunctional safety data for a design of an electronic system whichcomprises a plurality of elements, the method comprising: receivingconfiguration data which includes fault-related data andanalysis-related data; receiving fault impact analysis data comprisingdata indicative of impact of one or more faults on an output of eachelement; receiving fault coverage analysis data comprising dataindicative of an extent to which each element is covered by safetymechanism(s); generating functional safety data using the configurationdata, the fault impact analysis data and the fault coverage analysisdata; determining a probabilistic metric for random hardware failureusing a method according to any preceding claim; and storing a reportincluding the configuration data, the fault impact analysis data, thefault coverage analysis data and the functional safety data.
 14. Amethod of designing an electronic component, the method including:preparing a design of the electronic component; generating functionalsafety data according to claim 13 for a first design of the electroniccomponent; preparing a revised design of the electronic component independence upon the functional safety data.
 15. A method of fabricatingan electronic component, the method comprising: designing an electroniccomponent according to claim 14; and fabricating an electronic componentaccording to the revised design.
 16. An electronic component fabricatedby a method according to claim
 15. 17. A computer program productcomprising a non-transitory computer-readable medium storing a computerprogram which, when executed by data processing apparatus, causes thedata processing apparatus to perform the method of claim
 1. 18. A designsupport system which includes data processing apparatus comprising: atleast one processor; and memory; wherein the least one processor isconfigured to perform the method of claim 1.